How to configure ADFS so that it indicates authentication requests should be signed

1
votes

I'm trying to configure ADFS so that it includes WantAuthnRequestsSigned="true" in its identity provider federation metadata (FederationMetadata/2007-06/FederationMetadata.xml) document?

I want to use this attribute to suggest to service providers (relying parties) that authentication requests should be signed.

It also seems that even if there is a signing certificate specified in the service provider metadata, ADFS will not enforce that it must be used. Any way to change this behaviour?

I'm using ADFS on Windows Server 2012 R2.

1
samlsaml-2.0adfsadfs2.0federated-identity

1 Answers

3
votes

Use this PowerShell command to configure it.

Set-AdfsProperties -SignedSamlRequestsRequired $true

Help for the switch explains its use case. https://technet.microsoft.com/en-us/itpro/powershell/windows/adfs/set-adfsproperties has online help.

-SignedSamlRequestsRequired [] Indicates whether the Federation Service requires signed SAML protocol requests from the relying party. If you specify a value of $True, the Federation Service rejects unsigned SAML protocol requests.

You can also enforce at the RP trust representing the app whether you want signed requests or not. This wont change the federation metadata of your AD FS. 

Set-AdfsRelyingPartyTrust -TargetIdentifier urn:test:app -SignedSamlRequestsRequired $true